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Abstract 

This work proposes a symbolic algorithm for the construction of assume-guarantee specifications 
that allow multiple agents to cooperate. Each agent is assigned goals expressed in a fragment of linear 
temporal logic known as generalized reactivity of rank 1 (GR(1)). These goals may be unrealizable, 
unless additional assumptions are made by each agent about the behavior of the other agents. The 
proposed algorithm constructs weakly fair assumptions for each agent, to ensure that they can cooperate 
successfully. A necessary requirement is that the given goals be cooperatively satisfiable. We prove that 
there exist games for which the GR(1) fragment with liveness properties over states is not sufficient to 
ensure realizability from any state in the cooperatively winning set. The obstruction is due to circular 
dependencies of liveness goals. To prevent circularity, we introduce nested games as a formalism to 
express specifications with conditional assumptions. The algorithm is symbolic, with fixpoint structure 
similar to the GR(1) synthesis algorithm, implying time complexity polynomial in the number of states, 
and linear in the number of recurrence goals. 
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1 Introduction 

The design and construction of a large system relies on the ability to divide the problem into smaller ones. 
Each subproblem involves a subset of the system, and may itself be refined further into smaller problems. The 
subsystems that result from the smaller problems are considered as modules of the larger system. In many 
cases, the modules interact with each other, either physically, or as software, or both. For this reason, the 
interaction between modules needs to be constrained, in order to ensure that the modules can perform their 
operation as intended. For example, if we consider the fridge and a power plug as modules of a house, then 
the fridge can only preserve food provided that the plug provides electric power uninterruptedly. In many 
cases, modularization is a necessity, imposed by the topology of the design, because the system comprises 
of elements distributed over space. These elements control some local part of the system, but they need to 
communicate, in order to coordinate. 

Among the benefits of modularization are the division of a complex problem into smaller ones that are 
computationally cheaper to solve, the localization of reasoning, which focuses the designer’s attention and 
reduces the danger of errors, and the ability to assign the design of each subsystem to a different entity, 
for example a contractor specializing in that type of system. In addition, a well-defined description of 
each individual component enables re-using the same design in a different context, where such a component 
is needed. This leads to the possibility of interfacing off-the-shelf components, based on their interface 
description, thus reducing the need for case-by-case design and production. 

In order to describe a module and its interaction with other modules, and their environment, it is necessary 
to represent them. A representation can range from an informal textual description, to a mathematically 
defined notation, with fixed syntax and semantics. The latter is desirable, because it is not ambiguous, and 
it enables automation of checking whether a candidate solution satisfies the requirements. Such a formal 
representation is usually called a specification. 

Proving that a system will behave as intended, insofar as this is captured by a specification, is a major 
objective in systems that are critical for the safety of humans, or have a very high cost. These include aircraft, 
especially airliners, spacecraft, which is a major investment and missions are, in many cases, unique and not 
to be repeated, automotive subsystems, nuclear power plant controllers, and several other application areas. 

We can distinguish two broad problems, at different phases of system design. The first one asks for 
producing formal specifications that describe the modules, with detail sufficient to allow for automated 
synthesis. The second problem asks for constructing an implementation of each module, and assembling the 
results into a complete composite system. The first problem comprises the modularization and specification 
step, whereas the second is the construction phase. 

The specification of a system can be implemented by humans, or constructed by an algorithm. The latter 
approach is known as (automated) synthesis., and relies on notions from the theory of games [1] . Synthesis has 
attracted considerable interest in the past two decades, and advances both in theory and implementation 
have been made, as described in the following sections. In this work, we are interested in algorithmic 
synthesis, for both phases of system design. In particular, we aim at automatically modularizing a design 
that has been partially specified by a human. In other words, humans give as input a formal description 
about what each module is expected to accomplish. Note that this step is necessary, in one form or another, 
because the algorithm cannot know what the modules are intended for. We consider these as the primitive 
specifications, that are given by a human, and will be completed algorithmically. These specifications may 
be insufficient for obtaining a coherent system, but describe the goals, and provide the starting point for an 
algorithmic approach to complete the specifications, and then construct implementations. The automated 
modularization step involves completing the specifications, by adding more detail, in a way that ensures 
that there exist components satisfying the primitive specifications. Regarding the synthesis phase, we are 
interested in efficient and scalable synthesis algorithms that can handle specifications with many goals. 

Clearly, the formal description of all the details in a given implementation is itself a specification. However, 
fixing a particular implementation is usually much more restrictive than needed. It is desired to describe 
only what is necessary of a particular module, and leave the internal details of its exact operation to be 
decided by the implementor of that module. The difference between an implementation, and a less restrictive 
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specification is quantification. A specification contains existential quantification, if it asks for some type of 
behavior contained in a given set, but does not describe a particular instance of that behavior. Another 
term that is commonly used to characterize this quality of a specification is declarative. 

This motivates regarding synthesis as a compiler activity. In analogy with declarative programming lan¬ 
guages like Haskell, a declarative specification is intended to leave unconstrained the exact imperative details 
of how the implementation will behave, step-by-step. A synthesizer from declarative specifications compiles 
them into an implementation that operates in time by reading environment inputs, and writing outputs. 
Reading and writing are used here in a broad sense, meaning interaction that may involve mechanical or 
hydraulic forces. A distinction between conventional declarative languages, and module synthesis is that the 
latter produces components that continue to interact with their environment without ever terminating, also 
known as reactive systems. For example, the computer that controls a nuclear reactor is not intended to 
terminate and produce some result, under normal operation. This is in contrast to a matrix multiplication 
program. 


2 Modular design by contract 

There have been several approaches to the modularization of systems. The design of each module becomes 
simpler, because it involves fewer elements, as counted, for example, by the number of variables used to 
represent it. However, the challenge is shifted, from designing a monolithic system, to putting together the 
pieces. In this report, we consider the problem of interfacing the modules. 

Our approach constructs specifications that are partitioned into assumptions about the behavior of the 
world outside a component, and requirements that the component guarantees, provided its assumptions hold. 
This is known as assumption-commitment, or rely-guarantee paradigm for describing behaviors. 

The assumption-commitment paradigm about reactive systems is an evolved instance of reasoning about 
conditions before, and after, a terminating behavior. A formalism for reasoning using triples of a precondition, 
a program, and a postcondition was introduced by Hoare [5], following the work of Floyd [5] on proving 
properties of elements in a flowchart, based on ideas by Perlis and Corn [3]. 

Hoare’s logic applies to terminating programs. However, many systems are not intended to terminate, 
but instead continue to operate, by reacting to their environment [5]. Francez and Pnueli [6] introduced a 
first generalization of Hoare-style reasoning to cyclic programs. They also considered concurrent programs. 
Their formalism uses explicit mention of time, and is structured into pairs of assumptions and commitments. 

Lamport [7] observed that such a style of specification is essential to reason about complex systems in 
a modular way. Lamport and Schneider BM introduced, and related to previous approaches, what they 
called generalized Hoare logic. This is a formalism for reasoning with pre- and post-conditions, in order to 
prove program invariants. Misra and Chandy introduced the rely-guarantee approach for safety properties 
of distributed systems m, still for safety properties. All properties up to this point were safety, and not 
expressed in temporal logic m- Two developments followed, and the work presented here is based on them. 

The first was Lamport’s introduction of proof lattices |I2j . A proof lattice is a finite rooted directed 
acyclic graph, labeled with assertions. If u is a node labeled with property U, and v,w are its successors, 
labeled with properties V, W, then if U holds at any time, eventually either V or W will hold. In temporal 
logic, this can be expressed as C\{U —>■ 0(1^ V IF)). Owicki and Lamport [T3] revised the proof lattice 
approach, by labeling nodes with temporal properties, instead of atemporal ones (immediate assertions). 

The second development was the expression by Pnueli m of assume-guarantee pairs in temporal logic, 
i.e., without reference to an explicit time variable. In addition, Pnueli proposed a proof method for liveness 
properties, which is based on well-founded induction. This method can be understood as starting with some 
temporal premises for each component, and iteratively tightening these properties into consequents that are 
added to the collection of available premises, for the purpose of deriving further consequents. This method 
enables proving liveness properties of modular systems. Informally, the requirement of well-foundedness 
allows using as premises only properties from an earlier stage of the deductive process. This prevents 
circular existential reasoning about the future, i.e., circular dependencies of liveness properties. As a simple 
example consider Alice and Bob. Alice promises that, if she sees b, then she will do a at some time in 
the future. Reciprocally, Bob promises to eventually do b, after he sees a. As linear temporal logic (LTL) 
formulae, these read 0(6 —>■ OOa) for Alice, and with a, b swapped, for Bob. If both Alice and Bob default 


3 


to not doing any of a or b, then they both satisfy their specifications. This problem arises, because existential 
quantification in /utiir|^time allows simultaneous antecedent failure. Otherwise, if Bob was required to do b 
for the first time, then Alice would have to do a, then Bob do b again, etc. 

Compositional approaches to verification have treated the issue of circularity by using the description 
of the model under verification as a vehicle for carrying out the proof. In other words, the immediate 
behavior of the model, as captured by its transition relation, should constrain the system sufhciently much, 
so as to enable deducing the satisfaction of its liveness guarantees, as in the work of Abadi and Lamport 
|16j . This approach is suitable for verification, because the model is available at that stage. However, 
in the automated construction of specifications for synthesis, we prefer to quantify over time, instead of 
describing immediate behavior. Therefore, we desire to be able to reason about dependencies of liveness 
properties between modules, with minimal reliance on the implementation, i.e., on safety properties. Stark 
m proposed a proof rule for assume-guarantee reasoning about a non-circular set of liveness properties. 
McMillan [18] introduced a proof rule for circular reasoning about liveness. However, this proof system is 
intended for verification, so it relies on the availability of a model. It requires the definition of a proof lattice, 
and introduces graph edges that consume time, as a means to break simultaneity cycles. The method we 
propose in this work constructs specifications that can have dependencies of liveness goals, but in a way that 
avoids circularity. It is discussed in Section]^ 

The assumption-guarantee paradigm has since evolved, and renamed several times. Meyer m called 
the paradigm design by contract^ and supported its use for abstracting software libraries, and validating the 
correct operation of software. The notion of a contract generalizes assume-guarantee reasoning, because a 
contract can have several forms. For example, it may come in the form of an interface automaton |20] . which 
offers only an implicit description of assumptions, as those environments that can be successfully connected 
to the interface. The interface automaton abstracts the internal details of a module, and serves as its surface 
appearance towards other modules. 

More recently, contracts have been proposed for specifying the design of systems with both physical and 
computational aspects m- In this context, contracts are used broadly, as an umbrella term that encompasses 
both interface theories and assume-guarantee contracts min], with extensions to timed and probabilistic 
specifications. A proof system for verifying that a set of contracts refines a contract for the composite system 
has been proposed in [28j . A verification tool of contract refinement using an SMT solver is described in 
[24j . This body of work focuses mainly on using, or manipulating, existing contracts. We are interested in 
constructing contracts. 


3 Games 

In this section, we review relevant results from the literature on games of infinite duration. The literature is 
extensive, so we restrict to a sample that we consider representative. The problem of constructing a module 
that exhibits a desired set of behaviors in time can be solved with algorithms that solve games. There are 
different types of games, depending on: 

• how many transducers are being constructed inside a single system, 

• the order of player choice, 

• the winning condition, 

• the visibility of variables, and 

• the number of players. 

Games can be turn-based, where a single player moves in each time step, or concurrent |25[ I26j . In syn¬ 
chronous games, turns are taken with a fixed schedule, whereas asynchronous games are scheduled dynami¬ 
cally by a dedicated player called scheduler [27] . 

If we want to construct a single transducer, then the synthesis problem is centralized. Synchronous 
centralized synthesis from LTL has time complexity doubly exponential in the length of the formula [^ , and 

^ Compare with existential quantification in past time, as is the case in the past fragment of LTL. This causes no problems, 
because it concerns things past. 
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polynomial in the number of states. By restricting to a less expressive fragment of LTL, the complexity can 
be lowered to polynomial in the formula |28| . Asynchronous centralized synthesis does not yield to such a 
reduction [29]. Partial information games pose a challenge similar to full LTL properties, due to the need for 
a powerset-like construction [301 • To avoid this route, alternative methods have been developed [3T|, that 
use universal co-Biichi automata, instead of determinization, and antichains |32] . 

If we want to construct several communicating transducers to obtain some collective behavior, then 
synthesis is called distributed. Of major importance in distributed synthesis is who talks to whom, and 
how much, called the communication architecture. A distributed game with full information is in essence a 
centralized synthesis problem. Distributed synchronous games with partial information are undecidable [33] , 
unless we restrict the communication architecture to avoid information forks [34] , or restrict the specifications 
to limited fragments of LTL [35] . Bounded synthesis circumnavigates this intractability by searching for 
systems with a priori bounded memory [36] . Asynchronous distributed synthesis is undecidable m- 

Besides distributed co-synthesis of fixed transducers, the more general notion of assume-guarantee syn¬ 
thesis m constructs transducers that can interface with a complete set of other transducers, as described 
by an assumption property. This is the same viewpoint with the approach proposed here. A difference is 
that we are interested to synthesize temporal properties with quantification (liveness), instead of directly 
transducers. Besides, note that distributed in the literature means constructing multiple transducers. In 
contrast, we are interested in distributed also in the sense that the modules will be synthesized separately. 
Thus, in the problem we consider, distributed synthesis with full information does not reduce to centralized 
synthesis. 

Another body of work relevant to our effort is the construction of assumptions that make an unrealizable 
problem realizable. The methods originally developed for this purpose have been targeted at compositional 
verification, and use the L* algorithm for learning deterministic automata [38] . and implemented also sym¬ 
bolically [39]. Later work addressed synthesis, with the theory for a solution proposed in [40], on which our 
work builds. This approach separates the construction of assumptions into safety and liveness. The safety 
assumption is obtained by property closure, which also plays a key role in the composition theorem presented 
in [T3] . 

Methods that use opponent strategies to refine the assumptions of a generalized Streett(I) specification, 
searching over syntactic patterns were proposed in [H] [42] . The syntactic approach of [42] was used in [43] 
to refine assume-guarantee specifications of coupled modules. However, that work cannot handle circularly 
connected modules, thus neither circular liveness dependencies. Other approaches aim at identifying the 
root causes of unrealizability in demanding guarantees [44] . A comprehensive survey can be found in [45] . 


4 Proposed approach 

This report proposes a method for constructing assume-guarantee specifications for a set of modules. The 
resulting specifications must be realizable [46], i.e., for each module, there should exist a transducer that 
implements its specification. The required behavior of each module is described by a contract over a set of 
variables that can change values in time. We choose linear temporal logic (LTL) [TT] to describe contract 
specifications. The specification of a module includes a partition of variables into inputs (uncontrolled by the 
module), and outputs (controlled by the module), as well as the primitive goals that the module must achieve, 
but no assumptions yet. These goals form an overall objective that the resulting contracts should satisfy. 
At this stage, the goals may be insufficient to ensure cooperation of the modules with each other. In other 
words, the specifier defines guarantees for each module, and the proposed method introduces assumptions 
that ensure realizability. Note that each property introduced as an assumption in the contract of some 
module, will also become a guarantee in the contract of some another module. 

We assume that, if we were to construct a single transducer that controls the variables of all modules, then 
such a transducer exists. This requires that the conjoined goals be satisfiable. If the goals are unsatisfiable, 
then the algorithm diagnoses so, but cannot resolve the conflicts. Such a resolution would be arbitrary, 
because it alters the design intent that a human defined, so it should be performed by a human. 

As noted in Section [^ synthesis from LTL specifications is intractable. For this reason, we restrict our 
effort to an LTL fragment that is less expressive, but still practically useful, while allowing synthesis in time 
polynomial in the number of states, and in the size of the specification formulae. The selected fragment is 
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known as generalized reactivity of rank 1, GR(1) |28| . and describes generalized Streett games with one pair, 
comprised of a persistence and an acceptance property. This restriction aims at making efficient the synthesis 
phase, after the contracts have been constructed, as well as the construction of the contracts themselves. It 
is a trade-off between expressive power and complexity. It corresponds to considering the bottom level in 
the Borel hierarchy of sets of behaviors, as sequences [37]. 

We model a composite system as a game with multiple players, each representing a module. In Sectionj^ 
the winning set is computed for the case of a centralized transducer, also known as the cooperative winning 
set. This is used as a safety assumption for all modules, in order to prevent any module from forcing the 
system to exit the set from where another module has a winning strategy. 

For each module, and each recurrence goal, the winning set in the game with that goal is computed in 
SectionIf the winning region is smaller than the cooperative winning set, then weak liveness assumptions 
are computed for the other players, until reaching a new fixpoint. These assumptions must be unconditionally 
realizable, to prevent trivial realizability of a particular game. 

The predicates in the resulting contract are represented symbolically, as binary decision diagrams (BDDs). 
This is in contrast with syntactic approaches for constructing assumptions. Syntactic approaches are re¬ 
stricted to the subset of specifications producible by the chosen grammar template, thus are incomplete. In 
contrast, our semantic approach always obtains a solution, if one exists. The trade-off is that the resulting 
properties do not have a syntactic form digestible by humans. The semantic contracts that we construct 
correspond to a view of contracts as an intermediate result, to be consumed by synthesis algorithms that 
will construct each individual module, potentially after a refinement of the contract by addition of local, 
internal, requirements. 

As discussed in Section a challenge in modular specification is reasoning about liveness. An assume- 
guarantee contract is intended to remain as declarative as possible. However, there are behaviors that, if 
specified declaratively, lead to cyclic dependency of liveness properties. For this reason, we structure the 
constructed specifications in a way that avoids circular dependencies of liveness requirements. This requires 
imposing a sequencing order on the liveness properties involved. In verification, the implementation itself 
is used as reference for enforcing this sequencing. In temporal logic, it is possible to achieve this purpose 
by explicitly introducing auxiliary variables. We avoid introducing such additional variables, because they 
increase the state space and can be regarded as a limited form of synthesis. Instead, we alter the specification 
structure, from flat to nested. For each liveness goal, nesting is introduced in the form of a stack of games. 
Each game in the stack has a reachability objective, and separate assumptions. Winning one of these games 
leads higher in the stack, until the top is reached. The top game can be won directly, and leads to the 
recurrence goal. The reliance on safety is in that each subgame is defined on a subset of the states. In this 
way, the composite system is prevented from regressing backwards, to a previous game, and progress towards 
the recurrence goal is ensured. 


5 Preliminaries 

5.1 Turn-based synchronous games 

We consider turn-based synchronous games with two players |25l[26]. The results can be extended to multiple 
players. We do not consider concurrent games, because they are not determined, and a strategy can require 
an infinite amount of memory |20j . 

The situation in a game is represented by a number of variables. An assignment to these variables is 
called the state of the game. The game evolves by a sequence of state changes. If, in each state change, only 
a single player changes its own state, then the game is called turn-based |25| . It is synchronous if the players 
take turns in a fixed order. 

In a game with two players, we will refer to the two players by the indices 0 and 1. In some cases, we 
will also use the notation of indexing the players with the letters e (environment) and s (system), instead 
of numbers. This is more readable when we discuss operations that consider one player as the system of 
interest, and lumps the remaining players as the environment of that player. 

The state comprises of variables in the set V. Each player can read all the variables, i.e., it has full 
information. Each player can write only those variables that she owns, with the exception of variable i. 
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Player j owns the set Xj of variables. In addition, each player increments the auxiliary variable i, used to 
track turns. So, V = {?} U Ur=o^ 

By Xi we will denote both the tuple of symbols in Xi, as well as a tuple of values assigned to those 
symbols. In its own turns, player i chooses a next assignment a;' G X'. The set of all states 2^ is denoted by 
S. For a set of variable symbols X, define the set of assignments |T]x = 2^. A predicate / indicates a set 

mx^{uG2^\f{u)}. (1) 

The game can be represented by a game graph, with nodes partitioned between the two players. At each 
node, only one of the two players moves. The game graph is bipartite, because the game is turn-based. 
Note that bipartiteness is necessarjj^ later, for switching between players when constructing a nested game. 
The player that moves first can be selected later, after computing the winning sets, when constructing the 
transducers. 

Each node in the game graph is represented by a tuple {x,i), where: 

• Xi G 2'^' is an assignment for the variables owned by player i, and the aggregate state x = (xg, Xi,..., Xn-i)- 

• i G I = N<„ is an index that signifies the player that takes a turn from (x, i). 

The transition relation of player i is pi(x,x'i), where pi is an action formula (a Boolean formula over primed 
and unprimed variables) |48j . Player i moves from the node {x, i), by assigning values to variables in x^. Let 
Xj denote (either a tuple of, or an assignment to) variables in minimize use of the 

term state, because it can be confusing. 

Remark 1. A (synchronous) interleaving representation Ufif is used here for the game, because it is sym¬ 
metric and emphasizes the turn-based semantics. As observed in an interleaving representation can be 
easier to reason about. In the literature about GR(1) games, typically a non-interleaving representation is 
used. In a non-interleaving representation, the combination of primed and unprimed variables captures whose 
turn it is to play (the role served by the integer variable i). In that representation, player 0 moves from a 
valutation of (xo,xi), and player 1 moves from (xg,xi). Note that the scheduling variable i is shared-write 
by all players. 

5.2 Integrals 

In this section, we consider preimage functions induced by the transition relations pi. These functions result 
from different quantification of the variables. Depending on the source and target set, several variants can 
be defined. We will refer to predicates and the sets they represent interchangeably. 

Definition 2 (Predecessors). Given a predicate F over V, the existential predecessors of F are those nodes, 
from where the set |E]v can be reached with one transition in the game graph, 

Piej{F) = Ax. Xi. {i = j) A 3x'. Pj{x,x'j) A (%-,x'-, j 0n 1), (2) 

where j ©„ fc = (j T k) mod n. Denote Pre(F) = Vjg/ ^^6 predecessors resulting from moves by all 

players. 

The semantics of the least fixpoint operator pX. f{X) is defined as 

= ^>0 (3) 

where M a set of variables, and S : {X ,...} —>■ |T]m is an assignment that keeps track of the fixpoint 
iteration. The notation £[X G- I/iJm] denotes the modification of S to assign the set [/iJm to variable X. 

^ Any game graph can be converted to a bipartite one, by introducing intermediate nodes. 


7 




Definition 3 (Iterated predecessors). The iterated predecessor relation yields the nodes that can reach the 
set |i^] under some behavior of the players, or are already in the set |F], i.e., 

Pre* {F) = nX.F\/ Pre(X). (4) 

Note that the set |Pre*(P")] contains the nodes from where the players can cooperate to reach the set 
|F]. Where clear from the context, we will call both Pre and Pre* predecessor sets. 

Definition 4 (Controllable predecessors). The controllable predecessors of F for player j are those nodes 
from where player j can force a visit to the set |i^]v in the next logic time step, irrespective of how the other 
players move, i.e., 

CPrej(F) = Xx. Xi. Pi{x,xf) A F\„,y„,.{xi,x'.„i !)• (5) 

For example, for player j = 0, it is 

CPreo(F) = Xx. Xi. ((i = 0) A po(x,Xq) A Xq, 0 Q 2 l))v 

((i = 1) A pi(x,x[) 1 02 1)) 

= Xx. Xi. ((i = 0) A ^°3a;o. po(x, Xg) A ^°Fj,,^/,,Jxo, Xg, l))v 
((i = 1) A^^3a;i. pi(x,x{) A ^'^Fl„.'j„.^(xi,x{,0)) 

= Xx. Xi. ((i = 0) A 3xg. Po(x,Xq) A Xg, 1))V 

((i = l)AVxl pi(x,x[) -A Fl,,>^/,,^(xi,x[,0)). 

As defined here, the operator CPre is the predicate version of that defined in [T]. An attractor contains 
nodes from where player j can force its way to the set IF]. 

Definition 5 (Attractor). The attractor Attrj(F) for player j is the set of all nodes, from where the system 
can force a future visit to the set |F|, or is already in |F|, 

Attrj(F) = pX.Fy CPrej(A). (7) 

As alternative notation, let CPre*(F) = Attrj(F). 

5.3 Linear temporal logic 

Linear temporal logic m with past [H] is an extension of Boolean logic used to reason about temporal 
modalities over sequences. The temporal operators: 

• next O, 

• previous 0, 

• until U, and 

• since S 

suffice to define the other operators dUEo]. Let AP be a set of propositional variable symbols, with values 
inBA{0jT}. A well-formed LTL formula is inductively defined by 

if ::= p I -itp \ p Ap 

I Qip I (fULp (8) 

I Qip I tpSip. 

It is modeled by a sequence (word) of variable assignments w : N —)■ Here, we define informally the 

operators that we will use. The formula Dp holds if p is forever true, <yp if p becomes true in some non-past 
time. The weak previous formula Qp = ^Q^p is true if a previous time step does not exist, or p is true in 
the previous time step. In contrast, Qp is true if a previous time step does exist, and p is true then. 


5.4 Interleaving representation of a Streett(l) game 


We will use an in interleaving representation m, with the notation defined in Section [5.1[ In an interleaving 
representation of a turn-based game, a single player moves in each logic time step. In a synchronous game, 
players move in a fixed order. This order will be enforced by using the auxiliary variable i, as index of the 
player that should move in the current logic time step. 

In a game, each player is assigned a property to realize. A game structure collects the initial conditions, 
actions, and liveness goals of each player. Two-player game structures in a non-interleaving representation 
are defined in [51) . The property to be realized by the player of interest is defined there accordingly. 

In an interleaving representation, a generalized reactivity(l) property |28j to be realized by player j can 
be described as follows. Define 


Pj{x, x'j,i) = ite(j ^ j, x'j = Xj, pi f\{i' = i 0„ 1)) 
Pj{x,Xj,i)= /\ pk{x,Xk,i) 


(9) 


In a two-player game, it is 


Pj{x,x'j,i)= /\ pkix,x',,,i) = pi-j{x,x[_j,i). 

fee{o,i}\{j} 


( 10 ) 


Definition 6 (Generalized reactivity(l)). Assume that, fori G I, each pi(x,x'f) is an action formula, as 


defined in Section 5.1 Let j G I be the index of a player. Assume that, for k G Ip C N, each Pj^k{x, i) is an 
assertion (a Boolean formula over unprimed variables), and similarly for Rj ,.{x,i). Then, the LTL formula 


^ A □((©□Pj) —> Pj) 

“ A {npj A Afc no^Pj.k) Ar noRj.v 


( 11 ) 


describes a GR(1) property for player j. 


For symmetry, the initial conditions have been omitted above. Initial conditions require selecting the 
player that moves first, and their consideration can be delayed until the phase of constructing a winning 
strategy. Observe that the action pi can depend on the variables x,x', but is independent of the variables 
x\. 

As a shorthand for the above, we define strict implication between two temporal logic formulae in a 
(synchronous) interleaving representation of a game. 


Definition 7 (Strict implication). Let p^, Ps, Pk, Rr be actions (or assertions). Define the strict implication 
operator A> as 


(Dpe A /\ nO^Pk ) A> ( Dp, A /\ nORr ) = 


assumption 


guarantee 


A □((©□Pe) —>■ Ps) 

A (Dpe A Ak aO^Pk) Ar DORr- 


( 12 ) 


The antecedent constrains the other players, and the consequent the player under consideration. For 
a non-interleaving representation. Strict implication was defined in |51j . Unless the action-fairness pairs 
are machine closed, and the actions are complete, the strict implication operator A> differs from the TLA 
while-plus operator As naisa. 

With Definition we can rewrite Definition using strict implication 


A npj „ A npj 

AkOO^Ppk A ArOORj.r- 


( 13 ) 
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6 Property closure 
6.1 Cooperative winning set 

In the following, we will present an algorithm for computing pairs of specifications that allow players to 
cooperate. For that purpose, some definitions are needed. Let S be a suitable alphabet, for example, 
S = 2^. The set S* denotes finite sequences of elements in S. The set S“ denotes infinite sequences of 
elements in E. The elements of a sequence are indexed by integers, starting at 0. For a sequence w S E‘^, 


the subsequence that starts at element i and ends at element j (inclusive) is denoted by w[i ■ ■ -j]. 

Definition 8 ([^[TS]). A behavior or property P C S“ is a set of infinite sequences. 

Definition 9 (Prefix set m)- The prefix set of a property P is defined as 

Pref(P) = {a G J:*\ 3w G P. a = w[0.. .\a\ - 1]}. (14) 

Definition 10 (Limit set [40]). Given a property P C S*, the set of limits of property P in property Q is 
defined as 

SafetyQ(P) = {w G Q\yk G N. w[0...k]GP}. (15) 

If the subscript Q is omitted, then Q = E“, i.e., 

Safety(P) = Sa.iety-^u. (P). (16) 

Definition 11 (Relative closure |541I16| 1. The closure of a property P C E*^ with respect to another property 
Q C E“ is defined as 

Cq{P) = SafetyQ(Pref(P)) = {w G Q\yk G N. 3a e P. u;[0... fc] = a[0... k]} (17) 

If the subscript Q is omitted, then Q = E“, i.e., 

C(P)=Ce^(P). (18) 

For brevity, define P = C{P). 


The definition Csu,{P) corresponds to C(P) in [TS|. The closure of a property is with respect to the 
topology induced by the metric that measures similarity by the length of the longest common prefix between 
two sequences. 

Definition 12. Assume that P C E“ U E* is a property. Define the set of letters that appear in any word 
in property P as 

States(P) = {sGE\3wGP.3kGN.s = w[k]} . (19) 

The definition of closure implies that States(P) = States(C(P)). 

Definition 13 (' [551 140] 1. Assume that P C E is a set of letters, and pj,j G I a collection of actions 
(transition relations). Then, the safe words are those in the set 

/ A w[k+ l]\i = j ®„1 \ 

Sa.ie{F)^\wGE‘^\ykGN.w[k]GFA/\[iw[k]U=j)^ A w[k]\s^ = w[k + 1]\^^ [. (20) 

jei \ A pj{w[k],w[k + 1]) J 

The map States projects a sequence on the state space. In the opposite direction, the map Safe yields 
the largest invariant subset of a given safe set, under the transition relations. 

Definition 14 ( [40] 1. The cooperative winning set is the set of nodes in the game graph, from where the 
players can cooperate to satisfy their objectives. In a turn-based synchronous game with n players, with 
objectives g^j,j G I (that include the transition relations pj), it is 

Coop^ /y (pj^ 4 |u g E = 2^1 3w G c(^ ^ pj^. u;[0] = u|. ^ 21 ) 

j&i j&i 
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In other words, the cooperative winning set is the set of nodes from where a centralized controller has a 
winning strategy. If the objectives (fj do not include initial condition^ (i.e., are tail-closed), then 


Coop|^ = States^ n c{(pj)y 


jei 




( 22 ) 


The closure of the conjoined specifications is equal to the safe words dehned by the cooperative winning set. 
This follows from 

States( Pi C{ipj)) = States(C( P C{ipj))), ^ 23 ) 

j&i j&i 

which implies that 

Coop( /\ (fj^ = States ^C( n Safe^Coop^/y = Safe ^States ^C( n (24) 










Observing that each ipj includes Dpj, it follows that Safe^States(C( Pljg/>C(</ 5 j)))^ = C{tpj)), there¬ 


fore 


Safe(Coop(/\ = C( P/:((/ 5 j)). 


jei 


jei 


(25) 


Define the recurrence formulae WFj = /\^nC>Gj,r, for j S I. For each player j, assume that it has as 
objective property described by the formula 


ipj A \jpj A WFj. 


(26) 


The property p is in the GR(1) fragment of LTL, so it defines a generalized Streett game of rank I (un¬ 
conditional, i.e., w/o assumptions). The objectives pj may be unrealizable. For each objective (pj, we are 
interested in constructing assumptions that make it realizable. These assumptions will become objectives for 
the other agents. Note that, at this stage there are no persistence objectives (i.e., no recurrence assumptions 
yet). 

The cooperative winning set can be computed by the fixpoint formula 


Coop( /\ 




jei 


'Zo' 


Pre*(Go,o A Pre(Zi)) 

Zi 


Pre*(Go.iAPre(Z 2 )) 

_Zm_ 


_Pre*(G„_i,Ar„_i_i A Pre(Zo))_ 


71—1 1 

= vZ. I\ l\ Pre*(Gj-r APre(Z)). (27) 

j=0 r=0 


The above computation of the fixpoint involves the recurrence goals of all players. The aim of decomposing a 
large system is to modularize the design effort. This motivates parallelizing the above fixpoint computation. 

A slightly different arrangement is also possible. The goals of each player can be grouped into a vectorized 
subformula, as follows 

n—1 

vZ. f\vZj.Zh f\ Pre*(Gj-^ APre(Z^)) (28) 

j—0 r—0 

This is expected to increase the sharing of subformulae, because of the overlap of support sets among 
objectives of a single player. It is motivated, in part, by the observations of Section [O} In Section [ 6 )^ 
it is shown that the outer fixpoint will be delayed from converging only by states that are live for each 
objective separately, but not for all objectives jointly. By increasing coupling between goals, the rate of 
convergence improves, while still parallelizing the computation, with a granularity at the level of players, 
instead of individual recurrence goals. Regarding the variable order, postponing the interaction of BDDs for 
iterates associated with goals of different players is expected to reduce the coupling between variables, and 
thus reduce the cost and improve the effectiveness of BDD variable reordering. 

® When computing the winning set in a game graph, initial conditions are neglected. They are accounted for later, during 
construction of a transducer. 
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Figure 1: In general, the closure of intersection differs from the intersection of closures. 

6.2 Computing the closure 

In this section, we prove that 


n —1 


Ni-1 


Coop(/\ ipj'^ = vZ. A vZj .ZNf\ Pre* (Gj-^ A Pre{Zj)). 


(29) 




J=o 


r—0 


This equality is a consequence of results about vectorized /r-calculus [SS]. Nonetheless, a direct proof is 
presented below, that gives a better picture of how the sets change during the iteration. 


From Section 


6.1 


recall that Safe^Coop^j j jC((pj)). In other words, given a conjunc¬ 

tion of properties £((po A A ■ ■ ■ (pn-i), its closure C{L{ipo A A ■ ■ ■ ipn-i)) is equal to the infinite words 
generated by the restriction of the transition relation to the cooperative winning set. For this reason, we 
refer to the closure C( and the cooperative winning set Coop^/\^gj interchangeably. 

From Eq. (p7|), it suffices to prove that 


n —1 


Ni-1 




vZ. f\vZj.ZA f\ Pre*(Gy,. APre(Zj)) = z/Z. f\ f\ Pre* (Gj> A Pre(Z)). 


(30) 


1=0 


r—0 


j—0 r—0 


This is equivalent to proving that is equal to the fixpoint iteration that alternates between 

taking closure and intersection. 

Proposition 15. For the properties defined by the formulae the closure of the intersection is a 

subset of the intersection of closures, i.e., C(nr=o — nr=o 

The obstruction in parallelizing the computation is that, in general, the opposite containment does not 
hold. In that case, the difference arises due to words on the boundary of some property, as proved by the 
following. 
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Proposition 16. Assume that the closure of intersection differs from the intersection of closures, i.e., 
^ nr=o^ C(£((^i)). Then, for each word w (nr=o^ C{C{ipi))^ \ C(nr=o^ there exists 

some property C{(pj), such that w is on the excluded boundary of property i.e., w G dC{(pj) \ C{(pj). 

In any ball around a word w in the boundary dL{ipj), there exists some word z in the property C^Lpj). It 
follows that, for any prefix p of word w, there exists some word z S that has the prefix p. As a result, 

the word w is safe with respect to C{ipj), but not live. 

Next, we dehne the iteration that corresponds to Eq. (291, and prove that it converges to the cooperative 
winning set. 

Definition 17. Define Pj = Cfpj). Initialize = YP, and iterate for fc € N 


R'; 

Qk+l A 


(31) 




We are interested in proving that the iteration of Definition |l7| reaches as fixpoint the set 
For this purpose, we will prove that 

Pj) A remains invariant (Proposition |l^ , and 

• if the current iterate differs from C( j then |States((5^^^) | < |States((3^)| (Proposition [T^. 

Proposition 18 (Invariant). For all fc G N, Pj) C 

Proof. By induction; 

Case fc = 0 It is C{f].^j Pj) C = Qo- 

Case k> Q Assume that C( p|jg/ Pj) Yk ■ We will prove that C( Pj) Q By definition of the 

iterates 

Zc _L 1 -i-^ t* /'****S ^ Ic -i-» \ 

(32) 




jei 


j^i 


By the induction hypothesis, 

C{P\P^)FQ'^ p, nc(f|p,) c n Pj ^ c(p, n c( f| p,)) cc(q'= n p, 

iG/ i£l i&I 

Therefore, it suffices to prove that Pi) C C[Pj D Pi)). It is 

pjP^cp, ^ p^nf|P, = f|P„ 


iGl 


i^I 


i^I 


(33) 


(34) 


SO 


p, n c( fl Pf) = Pj n ((fl Pi) u (5 fl Pi)) = (Pj n f] p.)) u (p, ndf]R 

i£l i^I ■ ■ 

fl p, u (p, n 5 f P, 


i^I 


iGl 


iGl 


iGl 


i^I 


c{Pj n c( f p.)) = c( f p, u {Pj n a f r)) = c( f p.) u c(p, n 5 f p,) 

iG/ iG/ 

c{f]R)cc{Pjnc{f]R)) 


(35) 


lei 


iGl 


iei 


jG/ 


lei 


By the above result, Eq. (33), and the induction hypothesis C{f]j^j Pj) C Q^, it follows that 

Vj G P c( f p,) c c{Pj n c( f p,)) C C(Q'= n p,) c( f p,) c f c{q^ n Pj) 

i^I i^I i£l jel 


(36) 
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Using Eq. (32), it follows that 


This is the inductive claim. 


c f]c{Q^nPj) 

iel jGl 


( 37 ) 

□ 


Proposition 19 (Variant). If Pj) , then |States((5^+^)| < |States((5^)|. 

Proof. By dehnition of the iterates, n Pj). The closure C((5°) = C(S“) = = Q^, so 

the set (3° is closed. As the intersection of closed sets, the set A: > 0 is closed. It is 

n Pj CQ^ C{Q^ n P,) C C{Q^) =Q^ ^ = f| C(Q'= n Pj) C 

It remains to prove that . We will show that taking the closures C((3^ H Pj) will yield at least 

~ C Q^ 


one set States(i?U C States((3^). By Proposition 
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and by hypothesis they are not 
equal. So, the difference K ^ \^{r\jei non-empty. By induction, the containment C 

implies that, for any A; > 0, it is C Q ^=n,^iC{P,). So,KCf],^^ C[Pj). This result is analogous to 
Proposition |16[ but for an arbitrary iteration along the computation. 

Consider any word w G K. By the previous, w G The game graph is 

finite, so, by the pigeonhole principle, the word w has a hnite prefix and a finite cycle as suffix. Denote by 
M the non-empty set of nodes in the suffix. The word w G aG7C(p,), so, from each node in M, for each 
j G I, a strongly connected component (SCC) that intersects all recurrence sets of Pj is reachable. The word 
w is not in C( Hje/ Pj)- SCC that intersects the recurrence sets of all properties is not reachable from 

any node in M. 


Define Sj the SCC that intersects the recurrence sets of Pj 


and is reachable from M. The set Rj = 


C{Q^ n Pj), so nodes in States(i?*) can reach only the intersection Sj C States(Q^)- If Sj C States((3^) = 0, 
and there are no other SCCs that intersect a Pj and are reachable from M , then the nodes in M C States((3*) 
are not in States(i?*), and the claim holds. 

Suppose that S'^CStates((3^) ^ 0. Consider the nodes in S'jnStates((3^). These nodes are in States((3^). 
So the same arguments apply, as those we developed for nodes in M. This leads to new SCCs, that form a 
directed acyclic graph (DAG). By finiteness of the game graph, the induction will terminate. 

Consider a leaf of the DAG. It is an SCC terminal in States((3^), that does not intersect at least one 
recurrence set, of at least one property Pj. (If not, then the SCC would satisfy Hje/ ^j- construction, the 
leaf SCC is reachable from the nodes in M (suffix). This implies that from nodes in M, an SCC satisfying 
is reachable. It follows that w is in C(P|jg 7 ^))- This contradicts the definition of w, as a word 
not in C(Pl^gjPj).) Therefore, there is at least one recurrence set of Pj, which is unreachable from the 
nodes in the leaf SCC, without exiting the set States((3^). It follows that none of these nodes is contained 
in States(C((3^' C Pj))- These nodes are in States((3^), so = C{Q^ C Pj) C . □ 


We have proved the following. 

Theorem 20. The closure of intersection £.{ipj)) is equal to the fixpoint of the iterated intersection 

of closures = r\jei^{Q^ fi ^iPj)) j starting from 

After the cooperative winning set C = Coop{/\j^j (pj) has been computed, each transition relation pj 
is restricted to it, by conjoining it with pQ = C A C. As proved in [30] for the case of two players, the 
restriction to the cooperative winning set satisfies two properties: 

1. it is not restrictive, because it removes edges from the transition relation pi of player i, only if they 
lead outside the closure with respect to some other player pj. 


2. among all non-restrictive properties, the restriction to the cooperative winning set is minimal, as 
measured by the cardinality of the edges removed from the game graph. 


In addition, the safety property DC is added to the assumptions of each agent. The specifications become 
(redefining Eq. (26) by adding a safety assumption) 


Pj = {npc) ^ {apj A ape a wf^-). 


(39) 
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7 Construction of weak fairness assumptions for a single goal 

In this section, we introduce the main elements for the proposed algorithm, for the case of two agents. Let us 
consider a single recurrence goal. More than one goals are treated by constructing a transducer that cycles 
through them, and communicating to other players the currently pursued goal. This is described at the end 
of Section This need for coordination of pursued goals is unavoidable, because, otherwise, livelock arises 
naturally. 

Our objective is to find assumptions that allow covering the cooperative winning set. This problem has 
been solved for a single agent, and full LTL, in [40j. Here, we are interested in assumptions restricted to the 
GR(1) fragment, and in multiple players. Recall that in Sectionj^we conjoined the transition relations with 
the requirement that each player stays inside the cooperatively winning set C, similarly to [40) . 

Let G = DOGj=o,r=o be the recurrence goal of interest, of player 0. Player 0 can force a visit to the 
set G from any node in the attractor Aq = Attro(G). But Aq may not cover the cooperative winning set 
G. By the definition of G, the set Aq is reachable from G \ Bq. Since nodes in G \ Bg do not belong to Bg, 
player 0 cannot force a transition from G\Bo to Bg. By determinacy of turn-based synchronous games with 
full information, player 1 must be able to force such a transition. It follows that the attractor Attri(Bo) is 
non-empty. This form of argument is reminiscent of the solution of parity games m- 

We want to construct an unconditional assumption that player 0 makes about player 1. Unconditional 
means that player 1 should be able to realize the assumption, without assuming any liveness property about 
player 0. If it needed to assume a liveness property about player 0, that would create circularity, causing 
trivial realizability. 

A first attempt could be □0(Attri(Bo) —Bg). This is insufficient, because player 0 may be able to exit 
the set Attri(Bo), but go to ^Bg - not to Bg. So player 0 must be able to restrict player 1 inside a subset 
K C Attri(Bg), until player 0 forces its way to Bg, obliged by an assumption of the form —>• Bg). 

The inclusion K C Attri(Bg) ensures that player 1 cannot trap player 0 inside K, which would cause trivial 
realizability. Such an assumption may not exist, a case that is addressed later. 

This exist requirement can be formalized by defining the controlled-escape subset of a set S, 

Trapj (5, E) = vX.Ey (CPre^- (AT) A S). (40) 

The set Trap^ (5', E) contains those nodes, from where player j can force to either remain inside Trapj (5', A), 
or move to E, or is already in E. Note that Trapj (S' V E,±) is different, because it requires the ability to 
remain inside S \/ E. 

Define Bg = Attri(Bg), and rg = (Trapg(i?g, Bg) A Bg) \ Bg. With this definition of a trap, we can now 
define the assumption of player 0 about player 1 

□ O(BgV-rg) = nO(rg^Bg). (41) 

This assumption extends the winning set of player 0, only if |rg] yf 0. Otherwise, the assumption is not 
useful, and we need to either: 

1. introduce a safety assumption that refers to additional variables, or 

2. define the specification as a nested game. 

In the following, we elaborate on these claims. 

7.1 The role of machine closure 

In Section]^ we conjoined the transition relations with a safety requirement to remain inside the cooperative 
winning set G. In this section, we give an example, demonstrating that absence of closure can lead to a 
contract unrealizable by player 1, together with a contract that is trivially realizable by player 0. 

In Fig. nodes from where player 0 (player 1) moves are denoted by disks (boxes). Player 0 wants 
□ OGg,g, and player 1 DOGi^g. The goal Gi,g is not reachable from nodes c,d, so these nodes are not in 
the cooperative winning set G. Suppose that we ignored this, and used the transition relation pi, as given 

^ The greatest fixpoint operator i/ is defined as uX. f{X) = -i/(X). 
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Figure 2: Example that demonstrates that lack of closure information can lead to the need for introducing 
additional nested games. 


by the specifier. Then, player 0 would think that player 1 can continue from node b to node c, towards d. In 
other words, player 0 will compute a larger attractor Attri(ylo) for player 1. Taking into account the closure 
of the goal DOGi.o by restricting pi to pi, player 1 cannot take the transition ( 6 , c). 

So, the property □0((a V 6 V e V /) —)■ Aq), assumed by player 1, is not realizable by player 0. If player 
0 knows about the goal Gip of player 1 , then the game with this assumption becomes trivially realizable by 
player 0, from the nodes a, 6 , e. Otherwise, the unrealizable contract will result in player 0 possibly choosing 
always the transition (a, 6 ) in vain, awaiting that player 0 will take (b,c). In both cases, the design fails. 

To avoid trivial realizability (that corresponds to circularity of liveness assumptions), we need to introduce 
a nested game, where player 1 assumes that player 1 will eventually transition to /. In this particular 
game, the nested game would have been avoided, had we conjoined with pc, in order to ensure closure. 
This demonstrates that lack of closure can manifest itself as superfluous liveness assumptions that, due 
to possible circularity, give rise to unnecessary game nesting (nesting will be defined later). The pair 
(□(po Pi)inOG'i,o) is not machine closed [TB], because C(n(po A pi) A DOGip) 7 ^ □(Po A pi), i.e., the 
property DOCip introduces a safety constrain on Dpi. 

This superfluous nesting of games can result also due to variable hiding. If some variables of player 1 are 
hidden from player 0 , then it may be the case that player 1 can traverse ( 6 , c) only when its internal state 
allows so. 

7.2 Nonexistence of weak fairness assumptions over nodes 

Suppose that |TrapQ(i?o, Aq)] = 0. This means that player 0 cannot keep player 1 in any subset of the 
attractor Attri(Ao). We will use two counterexamples, to prove that, if we restrict the assumptions to 
recurrence properties in the GR(1) fragment, then it is impossible to cover the cooperative winning region. 
Recall that in GR(1), a recurrence property includes a predicate over nodes, but not edges. 

Proposition 21. 

Assume: An infinite sequence w Dpo A Dpi. 

Prove: For at least one of the two players, for any property p of the form of Definition the sequence w 
does not model p. 

(1) 1. There exists a fc € N such that ... fc + 1] ^ po A pi. 

(1)2. Pick the minimal k gN such that w[k ... fc + 1] ^ po A pi. 

Proof: By (1)1, the set of k with this property is non-empty, countable, and bounded from below. So a 
minimal k exists. 
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Figure 3: There does not exist a weak fairness assumption that suffices for realizability in this example. 
Player 0 (player 1) controls the play at disks (boxes). 


(1)3. Case: w[k ... A: + 1] ^ pi 

(2)1. Vr e 0 ... A; — 1. w[r ... r + 1] |= po A pi 
Proof: By (1)2, k is the minimal non-negative integer with this property. 

(2)2. w,k^ ©Epo 
Proof: By (2)1. 

(2)3. w,k^ Pi 
Proof: By (1)3. 

(2)4. Q.E.D. 

Proof: By (2)2 and (2)3, 

w,k ^ {QBpo) ^ Pi w ^ □((0Epo) Pi)- 
(1)4. Case: w[k ... A: -I- 1] ^ po 
Proof: Similar to (1)3. 

(1)5. Q.E.D. 

Proof: By (1)2, the cases (1)3 and (1)4 are exhaustive. 

Proposition 22. 

Assume: Define the transition relations po,Pi by the game graph of Pig. Define the set of nodes V = 
{sO) • ■ •) s?}- Define the goal G = {se} of player 0. 

Prove: There does not exist a set |P] C V, such that: 

1. the property 

pi A nOP) , (42) 

be realizable by player 1, and 

2. the property 

<P0 = (DPo a nOP) A> (Epi A nOG) (43) 

be realizable by player 0. 


(1)1. □(poApi). 


Proof: By Proposition 21 


if □(po A pi) is false for a play, then (po or ipi is false. 


(1)2. Case: |P] = 0 

Proof: EO-P = DO-L is not realizable by player 1. 
(1)3. Case: [P] ^ 0 
(2)1. Case: |P] n {so,si} = 0 

(3)1. [Pln(P\{so,si})7^0 
Proof: By (1)3 and (2)1. 

(3)2. [Pln{s2,...,S7}y^0 
Proof: By (3)1 and definition of node set V. 
(3)3. EOP not realizable by player 1. 

(4)1. Define: Player 0 strategy 


/ — (sa (s 3 A S 4 )) A (si —>■ (si A Sg)) 
(4)2. If player 0 uses the strategy / of (4)1, then all plays violate EC>P- 
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(5)1. From the nodes S 2 ,..., sy, the play goes to node si. 

(5)2. From node si, the play is si(soSi)‘^. 

(5)3. Q.E.D. 

Proof: By (5)2, any play reaches, and then remains forever in, the set {sojSi}- By (2)1, this 
play does not intersect |P], so the play does not satisfy 
(4)3. Q.E.D. 

Proof: By (4)2, player 1 cannot realize 

(3)4. Q.E.D. 

Proof: By (3)3, the consequent of (fi is false. 

(2)2. Case: |P] n {so,si} ^ 0 

(3)1. Case: [Pi n {s 2 , sa} = 0 

(4)1. Define: Player 0 strategy 

/ = (si —)■ (si A S 2 )) (ss (s3 A S 2 )) 

(4)2. If player 0 uses the strategy / of (4)1, then all plays violate 
(5)1. From the nodes Sq, 54 , ■ • ■, sy, the play goes to node Sy. 

(5)2. From node si, the play is Si(s 2 S 3 )‘^- 

(5)3. Q.E.D. 

Proof: By (5)2, the play reaches, and then remains forever in, the set { 32 , 53 }. By (3)1, this 
play does not intersect |P], so the play does not satisfy □O.P- 
(4)3. Q.E.D. 

Proof: By (4)2, Lpi is false. 

(3)2. Case: [P] n { 52 , 53 } ^ 0 

(4)1. Define: Player 1 strategy / = 54 —>■ (54 A s}). 

(4)2. If player 1 uses strategy / of (4)1, and the play is in the set (sq, ..., S 4 }, then the play remains 
in {sq, ..., S 4 } in the next time step. 

Proof: The only edge that exits the set {sq, ..., S 4 }, and satishes both po and pi, is 54 A s}. This 
player 1 edge is not in the strategy / of (4)1. 

(4)3. If a play starts in the set { 55 , se, sy}, then it reaches the set {sq, ..., 54 } in a finite number of 
steps. 

Proof: By the definition of po,Pi and (1)1. 

(4)4. If player 1 uses strategy / of (4)1, then any play enters the set (sq, ..., S 4 }, and then remains 
in it. 

Proof: By (4)2 and (4)3. 

(4)5. Any play where player 1 uses the strategy / of (4)1 satisfies 

(5)1. Any play either reaches, and remains forever in, the set {s 2 , S 3 }, or it visits node si. 

(6)1. It is possible to remain forever in {s 2 , S 3 }. 

(6)2. If the play exits {s 2 , S 3 }, then it visits Si. 

Proof: The only edge that exits {s 2 , S 3 } is S 3 A s}. By (4)1, the next edge is S 4 A s}. 

(6)3. Q.E.D. 

Proof: By (6)1 and (6)2. 

(5)2. If the play visits node si, then it either visits both sq and si, or both S 2 and S 3 . 

Proof: Each edge outgoing from node Si leads to either sq and Si, or to S 2 and S 3 . 

(5)3. Any play visits the set |P] infinitely many times. 

Proof: By (5)1, (5)2, the play either visits both S 2 and S 3 inhnitely many times, or it reaches 
Si infinitely many times, so also either S 2 and S 3 infinitely many times, or sq and si infinitely 
many times. By (2)2 and (3)2, the play visits the set |P] infinitely many times. 

(5)4. Q.E.D. 

Proof: By (5)3, the play satishes DO-P- 
(4)6. Q.E.D. 

Proof: By (4)4 and (4)5, any play where player 1 uses the strategy / satishes DOP* and violates 
□ OG- So, (po is not true. 

(3)3. Q.E.D. 

Proof: By (3)1 and (3)2. 

(2)3. Q.E.D. 
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Proof: By (2)1 and (2)2. 

(1)4. Q.E.D. 

Proof: By (1)2 and (1)3. 

We can make a number of observations. Firstly, there does exist a weak fairness assumption outside of the 
GR(1) fragment, such, that the game of Fig. [^becomes non-trivially realizable. This weak fairness property 
is in an extension of the GR(1) fragment with action predicates in recurrence properties [58) . 

In particular, we have to tell player 0 that it is unfair to, forever, hide in the set {s 2 , S 3 }, i.e., On^(s 3 As 2 ). 
If we add this property both as an assumption of player 1, and as a guarantee by player 0, then trivial 
realizability persists, because this is a liveness property (ignoring, for a moment, that this results in a 
Rabin(l) game). Thus, it should not be added as a guarantee for player 0. 

But we can subtract this property from the assumption of player 0. Consider the desired assume-guarantee 
pair for player 1 

On^(s3 A S2) —t □ 0 ((si V S2 V S3 V S4) —>■ S5) ( 44 ) 

Then, merge the antecedent (persistence) and consequent (recurrence) into a single recurrence property 

□ O ((S 3 A S2) V S5 V ^(si V S2 V S3 V S4)) . (45) 

This property is realizable by player 1, but not in the GR(1) fragment, because (S 3 A S 2 ) is an edge. It is in 
an extension of GR(1) with edges in liveness properties [55]. 

Moreover, the above property can be expressed in GR(1), by shifting the above transition formula one 
step into the past, as □0©(- ■ • )■ This introduces a history variable, for remembering the past, and a safety 
property about this variable’s update behavior. Pnueli observes in [14] the equivalence of auxiliary variables, 
with allowing the past. We observe that describing in GR(1) this weak fairness property, which involves a 
transition relation, introduces a safety property, and increases the number of variables. 

In general, a weak fairness assumption over edges (of both players) in the game graph can be computed 
by finding a trap set that is sufficiently large, to prevent player 1 from satisfying the assumption, by going 
away from the goal desired by player 0 (e.g., the edge S 4 A s) in Fig. |^. Such a set can lead to trivial 
realizability. In order to prevent trivial realizability, edges of player 0 that lead away from the goal can be 
subtracted from the assumption, as we did above with the edge S 3 A s^. These edges can be computed by 
considering consecutive iterates of a reachability computation in the cooperative winning set. 

Here, we decide to use the GR(1) fragment, with recurrence properties over nodes, because recurrence 
assumptions that refer to edges of player 0 need to include all backward leading edges inside the trap set. 
Therefore, this type of assumptions explicitly refers to the transition relation, over a set of nodes. As a 
result, it leads to more complex and detailed formulae, which are less amenable to simplification, and are 
less suitable for an extension to cases with hidden variables. 

Note that in a non-interleaving representation, both primed and unprimed variables are required to 
represent nodes from where player 1 moves. In more detail, player 1 moves from nodes of the form (xq, xi,i). 
Fven though such a representation involves primed variables, in the game graph, these are still nodes, not 
edges. Therefore, in a non-interleaving representation, the propositions have the same semantics, but with 
different syntax. 

A more direct approach is to introduce safety, by requiring that 0(54 —>■ (54 A S 5 )). This resolves the 
non-determinism, by fixing a choice (undesirable). However, such a fixed safety assumption may not exist, 
as proved by the following. 

Proposition 23 (Nonexistence of safety). 

Assume: Define the transition relations po,Pi by the game graph of Fig. [^ 

Prove: There does not exist a set |p] C |pi], such that player 1 chooses edges that satisfy p, and 

<p=n(poAp)AnOGiAnOG 2 (46) 

is satishable (cooperatively by player 0 and player 1 ). 

(1)1. nipoAp ) 

Proof: If □(po A Pi) is false for a play, then p is false. 
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Figure 4: There does not exist a realizable GR(1) property that suffices as an assumption in this example, 
as proved in Lemma 25 Player 0 (player 1) controls the play at disks (boxes). 


(1)2. Case: p does not include the edge sq A s'^. 

(2)1. No infinite play visits IG2]. 

Proof: By (1)2, if a play visits node sq) then there is no next node. 

(2)2. Q.E.D. 

Proof: By (2)1, no play satisfies the property 00 ^ 2 . 

(1)3. Case: p does not include the edge S 2 A S 3 . 

(2)1. If an infinite play visits IG2], then it does not satisfy DOGi. 

Proof: By (1)3, no path exists from the set IG2] = {sq}, to the set |Gi] = {se}. 

(2)2. Case: A play satisfies □OG2. 

Proof: By (2)2, the play visits IG 2 ], so by (2)1, the play violates DOGi. 

(2)3. Case: A play violates □OG2. 

Proof: By definition of ip. 

(2)4. Q.E.D. 

Proof: By (2)2 and (2)3, with such a p, no play satisfies p. 

(1)4. Case: p does not include the edge S 4 A s^. 

(2)1. If an infinite play visits |Gi], then it does not satisfy □OG2. 

Proof: By (1)4, there is no path from |Gi] to IG2]. 

(2)2. Case: A play satisfies DOGi. 

Proof: By (2)2, the play visits |Gi], so by (2)1, the play violates □OG2. 

(2)3. Case: A play violates DOGi. 

Proof: By definition of ip. 

(2)4. Q.E.D. 

Proof: By (2)2 and (2)3, with such a p, no play satisfies p. 

(1)5. Case: p does not include the edge S 4 A S 5 . 

(2)1. If a play visits node se, then it does not revisit se. 

Proof: By (1)5, there does not exist a path from node Se to node Sq. 

(2)2. Q.E.D. 

Proof: By (2)1, no play satisfies DOGi. By definition of p, no play satisfies p. 

(1)6. Case: p does not include the edge se A S 3 . 

Proof: Similar to (1)2, but for the set |Gi]. 

(1)7. Q.E.D. 

(2)1. pC Pi and p ^ pi. 

Proof: By hypothesis. 

(2)2. The transition relation p has at least one fewer edge than pi. 

Proof: By (2)1. 

(2)3. The cases (1)2-(1)6 are exhaustive. 

Proof: By (2)2, the definition, by hypothesis, of pi with 5 edges, and the case statements (1)2-(1)6 
for those 5 edges. 

(2)4. Q.E.D. 

Proof: By (2)3. 


In Proposition we proved lack of satisfiability, not lack of mutual realizability. This condition (for 
safety here) is stronger than in Proposition 22 (for recurrence there). The reason is that we will need to 
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combine the result with Proposition 24 If a property (safety) is not realizable by player 1, then conjoining 
with another property (recurrence) restricts it further, so it remains unrealizable by player 1. In general, if a 
property does not suffice as an assumption for player 0, it is not true that restricting it will yield a property 
unrealizable by player 0. However, if a property PAQ is unsatisfiable cooperatively by the two players, then 
further restriction yields an unsatisfiable property. 

Suppose that the property P is realizable by player 1, and the property P ^ Q hy player 0. Use a 
strategy for each player to control all the variables. The composite strategy satisfies P A {P ^ Q), so also 
P A Q. Therefore, the property P A Q is satisfiable cooperatively, a contradiction. So, the restriction of P 
to P yields assume-guarantee pairs P for player 1, and P ^ Q, of which at least one is not realizable. 

We turn now to the nonexistence of a recurrence assumption for the conjoined goals (DOCi) A (□OG' 2 )- 
For each of the goals DOCi and □OG 2 , there exists a recurrence assumption DOU, such that both the 
formula (Dpo) ^ (Dpi ADO-P) is realizable by player 1, and the formula (Dpi ADOP) ^ (□poADOCi) 
is realizable by player 2. In particular, 

• DOsa for □OG 2 

• 00(50 Vsa) for OOGi. 

The mutual realizability for these assumptions has been confirmed with a GR(1) synthesizer. 

Proposition 24 (Nonexistence of recurrence). 

Assume: Define pi the transition relation of player i by the game of Fig. Define the set of nodes V = 

{sq, . . . , Sg}. 

Prove: For all sets of nodes P CV, for any initial node, either 

• the property 

(pi = (Dpi) ^ (Opo AOOP), 
is not realizable by player 1, or 

• the property 

(po = (Dpo A nOP) ^ (Dpi A nOGi A DOGs), 
is not realizable by player 0. 

(1)1. □(poApi) 


(47) 


(48) 


Proof: By Proposition 21 if □(po A pi) is false for a play, then (po or (pi is false. 

(1)2. Case: |P] =0 
Proof: By (1)1 and (1)2, (pi is false. 

(1)3. Case: [Pi ^ 0. 

(2)1. Case: |P] n { 52 , 53 } = 0- 
(3)1. Define: Player 0 strategy 

/ — (51 —t (51 A S 2 )) A (s3 -A (S3 A S 2 )). 

(3)2. If player 0 uses strategy /, then no play satisfies OOP- 

(4)1. From the set {sq, 52 , 54 , S 5 , sg}, the play visits either node Si, or node S 3 . 

(4)2. If player 0 uses strategy /, then from the nodes in {si, S 3 }, the play is (s 2 S 3 )‘^. 

Proof: By the strategy / of (3)1. 

(4)3. Any play is of the form s*(s 2 S 3 )‘^. 

Proof: By (4)1, (4)2, and that these cases cover V. 

(4)4. Q.E.D. 

Proof: By (4)3 and (2)1. 

(3)3. Q.E.D. 

Proof: By (3)2, if player 0 uses the strategy / of (3)1, then player 1 cannot realize property :pi. 
( 2 ) 2 . Case: [P] n {s 2 , 53 } ^ 0. 

(3)1. Case: [P] n{so,si} ^ 0. 

(4)1. Define: Player 1 strategy 

/ = 54 ^ (S 4 A s}). 

(4)2. If a play visits a node in (sg, sg}, then it later visits the set (sg,..., S 4 }. 
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(4)3. If player 1 uses strategy / and a play visits the set {soi ■ • ■, 54 }? then the play remains forever 
in it. 

(5)1. The only edge that exits {sq, ..., S 4 } is S 4 A Sg. 

(5)2. The edge S 4 A Sg is not in the strategy / of (4)1. 

(5)3. Q.E.D. 

By (5)1 and (5)2. 

(4)4. If player 1 uses strategy /, then no play visits Gi an infinite number of times. 

Proof: By (4)2 and (4)3. 

(4)5. Any play that remains in {sq, ..., S 4 } visits sq and Si, or S 2 and S 3 , an infinite number of times. 

(4)6. Any play that remains in {sq, ..., S 4 } satisfies DO-P- 
Proof: By (4)5, (2)2, and (3)1. 

(4)7. If player 1 uses strategy f, then all plays satisfy □OP’- 
Proof: By (4)2, (4)3, and (4)6. 

(4)8. Q.E.D. 

PROOF:By (4)4 and (4)7, if player 1 uses strategy /, then all plays satisfy DOP* and violate DOGi- 
By definition of (/?o, all plays violate ipo. So, there does not exist a winning strategy for player 0. 
(3)2. Case: |F] n {sq, si} = 0. 

(4)1. Case: |P] n {sg,..., sg} = 0. 

(5)1. Define: Player 0 strategy 

/ = (si —)■ (Si A Sq)) a (s3 —>■ (S 3 A S 4 )). 

(5)2. If player 0 uses strategy /, then no play visits node S 2 infinitely many times. 

Proof: If a play starts at node S 2 , then it leaves S 2 . By (5)1, if a play is not at node S 2 , then 
none of the edges incoming to S 2 is in the strategy (4)1. 

(5)3. [PI = {S2} 

Proof: By (2)2, (3)2, and (4)1. 

(5)4. If player 0 uses strategy /, then no play satisfies □OP'- 
Proof: By (5)2 and (5)3. 

(5)5. Q.E.D. 

Proof: By (5)4, if player 0 uses strategy /, then all plays violate GOP*- By definition of (pi, all 
plays violate ipi. So, there does not exist a winning strategy for player 1. 

(4)2. cIsE:lPlnV...,«a}^0. 

(5)1. Case: Initial node in {sq, Si}. 

(6)1. Define: Player 0 strategy 

/ — Si —> (Sl A Sq). 

(6)2. If player 0 uses strategy /, then all plays remain in the set {sq, si}. 

Proof: By (5)1 and (6)1. 

(6)3. If player 0 uses strategy /, then all plays violate □OP'- 
Proof: By (6)2 and (3)2. 

(6)4. Q.E.D. 

Proof: By definition of ipi, and (6)3, if player 0 uses strategy /, then all plays violate fi. So, 
there does not exist a winning strategy for player 1. 

(5)2. Case: Initial node not in {sq, Si}. 

(6)1. Define: Player 1 strategy 

/ = S4 ^ (S4 A Sg). 

(6)2. If player 1 uses strategy /, then all plays visit infinitely many times either S 2 and sg, or 
S 3 , S 4 , Sg and Sg. 

Proof: By (1)1, (5)2, (6)1, the play remains in the set {s 2 ,...,sg}. The only cycles in 
{s 2 ,..., Sg} are S 2 , S 3 and sg, S 4 , sg, sg. By the pigeonhole principle, at least one of these two 
cycles must be visited an inhnite number of times. 

(6)3. If player 1 uses strategy /, then all plays satisfy GO-P- 
Proof: By (6)2, (2)2 and (4)2. 

(6)4. If player 1 uses strategy /, then no play visits IG 2 ]. 

(7)1. All plays start outside {so,si}. 

Proof: By (5)2. 
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(7)2. No play that is outside {sqjSi}, enters {so,si}. 

Proof: By (6)1. 

(7)3. No play visits {so,si}- 
Proof: By (7)1 and (7)2. 

(7)4. Q.E.D. 

Proof: By (7)3 and the definition of G 2 . 

(6)5. If player 1 uses strategy /, then no play satisfies 00 ^ 2 • 

Proof: By (6)4. 

( 6 ) 6 . Q.E.D. 

Proof: By (6)3 and (6)5, if 
□ 0 ^ 2 - By definition of 930 , 
for player 0 . 

(5)3. Q.E.D. 

Proof: By (5)1 and (5)2, that 
(4)3. Q.E.D. 

Proof: By (4)1 and (4)2. 

(3)3. Q.E.D. 

Proof: By (3)1 and (3)2. 

(2)3. Q.E.D. 

Proof: By (2)1 and (2)2. 

(1)4. Q.E.D. 

Proof: By (1)2 and (1)3. 

Lemma 25 (Nonexistence of GR(1) assumption). Define the transition relations po,pi as in the game of 
Fig. 0 There does not exist a property P in the GR(1) fragment, such that 

= (n/Oi) ^ (npo A P) (49) 

be realizable by player 1, and 

(^0 = (D/Oo AP) ^ (Dpi ADOGi AnOG2). (50) 


player 1 uses strategy /, then all plays satisfy DO-P and violate 
all plays violate tpo- So, there does not exist a winning strategy 

cover all initial nodes in V. 


be realizable by player 0. 

Proof: By Proposition [23] and Proposition [24} 

This can be avoided, by introducing a goal counter goal as auxiliary variable, and switch between safety 
assumptions, depending on the counter, e.g., □((34 A goal = 1) —>■ (54 A S5)). 

Here, we decide to not introduce explicitly new variables in the contract, neither safety assumptions that 
fix choices of edges. Instead, in Section we will define nested games, where the safety assumptions are 
introduced by partitioning the game graph into sub-games, and avoid explicit reference to extra variables 
inside the formula. The purpose served by those extra variables is achieved by structuring the contract into 
multiple games. 


8 Nested games 

A structured way of isolating conditional assumptions is by partitioning the game into smaller ones. Each 
smaller game has its own assumptions, independently of the other games. This prevents circularity of 
liveness dependencies. Each game has one reachability objective: to reach the game that contains it. Only 
unconditional liveness assumptions can appear inside each game. Assumptions that themselves depend on 
other liveness assumptions become objectives in their own game. The games partition the game graph. The 
approach of nested games is reminiscent of McNaughton’s recursive algorithm for solving parity games [57]. 
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Figure 5: The sets (labeled by predicates) computed by UnconditionalAssumption in Algorithm 


Algorithm 1 Construction of nested-game GR(1) specification, for each recurrence goal G 

1; procedure GAMESTACK(j, G, uncovered, stack) 

2: trap ■<— T 

3: goal i — G 

4: stack set() 

5; while prap] 7 ^ 0 do t> Greate unconditional assumptions, until stuck 

6: attr, trap ^ UNCONDITIONALAsSUMPTION(j, goal) 

7: goal •<— attr U trap 

8 : assumptions.{trap —)■ attr)) 

9: game <— {j, goal A ^G, G, assumptions) 

10 : stacfc.append(( 7 ame) 

11; uncovered ^ uncovered A -^goal 

12 ; if luncoveredj = 0 then t> Govered cooperatively winning set? 

13: return 

14: GameStack(1 — j, goal, uncovered, stack) > Construct a nested game 

15: return 

16: procedure UNCONDITIONALAsSUMPTION(j, g) 

17: A^Attr 7 ( 5 ) 

18: B i — Attr]^_j(A) 

19; r ^ -^A ABA Trapj {B, A) 

20; return A, r 


Algorithm computes a stack of nested games, for reaching a goal G. It covers the cooperative winning 
set G, so a later visit to G is always possible, from any node in G. Part of the computation is illustrated in 
Fig.0 

Proposition 26 (GameStack variant). If procedure GameStack calls GameStack (Ll^), then the set 
luncoveredj after Lll in the caller has at least one more node than luncoveredj after Lll in the callee. 

Proof. Gonsider a call to GameStack by GameStack (L14). Variables in the caller, and in its last call 
to UnconditionalAssumption (L6) will be indexed by 1. Variables in the callee, and in its first call to 
UnconditionalAssumption (L6) will be indexed by 2. 

We will prove that, in the first call of the callee to UnconditionalAssumption (L6), the attractor 
A 2 = Attr( 52 ) will be strictly larger than 52 (L17). We need to prove that there is a node outside 52 , from 
where player j 2 can force a visit to 52 - It is g 2 = goal 2 (L16,6) in the first iteration of the loop (L5). First 
iteration implies goal 2 = G 2 (L3). In the caller, goal^ = G 2 (L14,l), so g 2 = goal 2 = G 2 = goal^. The value 
of j 2 (L17) is 1 — ji in the caller (L16,6,l,14). 

In the caller, L14 was reached. So the loop terminated, implying prapj^] = 0 (L5). In the last loop 
iteration, prapi] = 0 implies that |poaP] = |attri] (L7). The return statement (L12) was not executed, so 
\uncoveredi^Li 2 l 7 ^ 0- By Lll, \uncoveredi^Li 2 l 7 ^ 0 implies that goal^ does not cover uncoveredi^Li at LI. 
By IpoaZ]^] = |attri], it follows that |attri] does not cover uncoveredi^Li- 
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It is Ai = attri (L6,20) from the last call to UnconditionalAssumption. So Ai = Attr^j(( 7 i) does not 
cover uncovered I By definition, uncoveredi^Li is a subset of the cooperative winning set, and goal gi is 
contained in Ai. So, any node in uncoveredi^Li can reach gi, thus also Ai. 

Suppose that no node of player (1 —ji) in uncovered i^li 2 = uncoveredi^Li A^goal^ = uncoveredi^Li f^^Ai 
has an edge that leads to Ai. Then, uncoveredi^Li A -^Ai (non-empty) must contain a node of player ji 
that has an edge to Ai. This node musl|^ be in Ai, because Ai is an attractor for player ji. This is a 
contradiction. We conclude that at least one node of player j 2 = 1 — ji is in uncoveredi^Li A ^Ai and has an 
edge to Ai. This node is outside Ai = attri = goali = G 2 , and will be in A 2 = Attrj 2 ( 52 ) = Attri_jj(Ai) 
in the first call to UnconditionalAssumption by the callee. This proves the claim. □ 

Proposition 27 (GameStack Termination). If the game graph is finite, then any call to procedure GameS- 
TACK of Algorithm\^terminates. 

Proof. A call to GameStack may not terminate for two reasons: the loop or the recursion never terminate. 
Suppose that the loop never terminates, so ftrapj ^ 0. It is goal = g (L6,16) and [g] C |Attrj( 5 )] (attractor 
def) and A = Attrj((;) (L17), so \goal\ C |A]. 

The set \trap\ = |r] (L6,20) and |r] n |A] = 0 (L19), so \trap\ (A |A] 0. We supposed that \trap\ 0, 

so the set \trap\ contains nodes outside |A]. By \goal\ C |A], it follows that \trap\ contains nodes outside 
Igoal}. 

So the set IgoaZ] increases strictly in each iteration. By hypothesis, the game graph has a finite number 
of nodes, so goal will eventually cover the graph, implying that |i?] = |A] (L18), thus \trap\ = |r] C 
I^A A i?] = \--A A A] = 0. This contradicts the supposition \trap\ = 0. So the loop at L5 terminates. 

Suppose that the number of recursive calls to GameStack is infinite. By Proposition with each 
recursive call to GameStack, the cardinality of the set \uncovered\ decreases by at least one. We supposed 
an infinite number of recursive calls, so in some recursive call to GameStack, \uncovered\ = 0. So the 
guard of L12 becomes true, and that call returns, without any further recursion, a contradiction. Therefore, 
the number of recursive calls is finite. □ 


Upon termination, the algorithm has computed a stack of games, each game is in effect in a subset of 
the game graph. 

The time complexity is at most quadratic in the number of nodes, with time measured by CPrey calls. 
This complexity follows because of single alternation of least and greatest fixpoints (LI7-19). For each call 
to UnconditionalAssumption either prop] = 0, so by Proposition 26 the next call to Uncondition¬ 
alAssumption will remove a node from the uncovered ones, or prap] y^ 0 so by Proposition]^ the current 
call removes a node from the uncovered ones. Therefore, UnconditionalAssumption is called at most 
2 |S| times. 

Each call to UnconditionalAssumption contains two chained attractor computations, and a trap 
computation. Each of these can invoke CPrej at most |E| times. The previous two statements imply that 
the time complexity is at most quadratic in the number of game graph nodes. 

Note that searching for fewer assumptions, inducing a smaller winning set, can be exponentially expensive, 
as proved for syntactic recurrence formulae in |43) . Conceptually, the nesting of games has common elements 
with modular game graphs |59j and open temporal logic |60) . 

Let us revisit the example of Eig. to observe the algorithm’s execution. Player 0 wants DOG. The 
first call to GameStack will call UnconditionalAssumption. Player 0 can force a visit to se from the 
attractor A = Attro(s 6 ) = ss V Sg. Player 1 can force A from B = Attri (A) = S 4 V S 5 V Sg. But r = ±, 
because player 1 can escape to si. 

So, a nested game is constructed over sg V si V S 2 V S 3 V S 4 , with player 1 wanting 0(^5 V sg). In the 
nested game, A = Attri(s 5 V sg) = S 4 V sg V sg. The attractor B = Attro(s 4 V sg V sg) = T, and player 
0 can keep player I in there, until player 0 visits S 4 V sg V sg. So, in the nested game, player 1 makes the 
assumption □O((so V si V S 2 V S 3 ) —>■ (54 V sg V sg)) = 00^(50 V si V S 2 V S 3 ). This covers the cooperative 
winning set, in this example the entire game graph. 

In implementation, the players need to communicate, and select a leader in a cyclic order. Each player 
becomes a leader in turn. Each time a player becomes a leader, it selects its next recurrence goal, in cyclic 


® In a turn-based game, from each node, a single player controls all edges. This argument would not hold in a concurrent 
game, a consequence of lacking determinacy |25l I20| . 
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order. It announces the current goal, by using an auxiliary integer variable dedicated to this purpose. Note 
that this operation is analogous to centralized transducer construction m- The goal corresponds to a game 
stack, as constructed above. Therefore, all players switch to playing the game that corresponds to the current 
node (i.e., current state). By construction of the stack, the play will be led to the selected goal. When the 
goal is reached, the leader selects the next leader, and the sequence repeats. 
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